[EMAIL PROTECTED] writes:
> Anyhow, I realize that giving information "up front" on working usernames on the
> system is probably at least a small security risk, so I'd rather not do that,
I've yet to see anyone make a cogent argument for this, instead of
accepting it as a given.
The flip side of this coin is that you force yourself to accept mail to bad
recipients, with a forged return address, and thus you can now be used as a
middleman to mailbombing by proxy. If THAT's not a security risk, I don't
know what is. What do you think is a greater security risk: having the
ability to confirm local addresses, or have someone send you a couple of
thousand RCPT TOs to non-existent addresses, and a return address of
[EMAIL PROTECTED]? Keep in mind that Qmail will happily explode that into
several thousand happy little messages that it will promptly bounce back to
the sender.
--
Sam
